Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.

Two types of client credentials are defined: symmetric client secret and asymmetric client private key.

Client registration parameter "token_endpoint_auth_method" controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic" or "client_secret_form" is allowed.

Public clients

Since SSO v. 8.10 client registration parameter "token_endpoint_auth_method" value "none" is supported to indicate a public client. These clients are not entitled to send client authentication but client identification only. In this case client sends client_id as form POST data.

Client Secret

Name	Description
client_secret_basic	Client uses HTTP Basic authentication scheme with client_id and client_secret
client_secret_post	Client sends client_id and client_secret as HTML Form parameters
client_secret_jwt	Client uses JWTs for Client Authentication The JWT is signed with a key derived from client_secret

Name

Description

client_secret_basic

Client uses HTTP Basic authentication scheme with client_id and client_secret

client_secret_post

Client sends client_id and client_secret as HTML Form parameters

client_secret_jwt

Client uses JWTs for Client Authentication

The JWT is signed with a key derived from client_secret

Client Private Key

Name	Description
private_key_jwt	Client uses JWTs for Client Authentication The JWT is signed with client's private key Client registration parameter "jwks" is used to communicate client's public key with provider

Name

Description

private_key_jwt

Client uses JWTs for Client Authentication

The JWT is signed with client's private key

Client registration parameter "jwks" is used to communicate client's public key with provider

JWTs for Client Authentication

Registration parameters

Name	Description
token_endpoint_auth_method	"client_secret_jwt" or "private_key_jwt"
token_endpoint_auth_signing_alg

Name

Description

token_endpoint_auth_method

"client_secret_jwt"

"private_key_jwt"

token_endpoint_auth_signing_alg

Parameters

Name	Description
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertion	Contains a single JWT

JWT Claims

Name	Description
iss	Issuer Matches client_id of client
sub	Subject Matches client_id of client
aud	Audience Matches issuer identifier
exp	Expiration time Expiration time must not be more than 60 minutes into future
jti	JWT ID The jti claim is used to enforce one-time use of JWTs

Client Secret

Client Private Key

JWTs for Client Authentication

Registration parameters

Parameters

JWT Claims

References

Browser not supported